diff options
| author | Michał Górny <mgorny@gentoo.org> | 2025-08-24 19:46:17 +0200 |
|---|---|---|
| committer | Michał Górny <mgorny@gentoo.org> | 2025-09-06 09:00:51 +0200 |
| commit | 731acc06d17f48ab238354070d5a46d5a1853305 (patch) | |
| tree | ca4f60748f030949f11bf7176e8a20fc4109c1b2 /eclass/python-utils-r1.eclass | |
| parent | cd8b6bacbec940e1b503c01b54a0d83e69735bc6 (diff) | |
| download | gentoo-731acc06d17f48ab238354070d5a46d5a1853305.tar.gz gentoo-731acc06d17f48ab238354070d5a46d5a1853305.tar.bz2 gentoo-731acc06d17f48ab238354070d5a46d5a1853305.zip | |
pypi.eclass: Introduce provenance verification API
Introduce a new API to verify provenance of PyPI artifacts. To enable
it, set PYPI_VERIFY_REPO to the upstream repository URL. The eclass
will automatically add a verify-provenance flag along with dependencies,
fetch the provenance file from PyPI and export src_unpack() to verify
it.
Support for provenance verification can be checked on PyPI's project
page. If it is supported, the project metadata (i.e. "Project links")
is found in "Verified details", whereas otherwise only "Maintainers"
are in that section. It can also be seen under "view details" for
individual artifacts.
The eclass also provides the low-level functions to account for special
needs: pypi_provenance_url and pypi_verify_provenance.
The bits are implemented directly in pypi.eclass rather than
verify-sig.eclass since they are pretty tightly bound to PyPI
infrastructure, with nontrivial URLs and a dedicated provenance file
format. On top of that, due to a difference in semantics, the flag
is named verify-provenance rather than verify-sig.
Signed-off-by: Michał Górny <mgorny@gentoo.org>
Part-of: https://github.com/gentoo/gentoo/pull/43549
Signed-off-by: Michał Górny <mgorny@gentoo.org>
Diffstat (limited to 'eclass/python-utils-r1.eclass')
0 files changed, 0 insertions, 0 deletions